Answered by:

Blocking Batch Files from operating on the desktop of a roaming profile

Question

Working in a Server 2008 R2 environment, we would like to block the creation and operation of batch files.

We use roaming profiles and folder redirected home drives and have successfully implemented File Screening using FSRM on the home drives which works perfectly. However if i try to use File Screening on the Desktop folder of the remotely stored roaming profile
folder it doesnt work.

The only other way i thought may work would be to use a GPO with software restriction policies and using a Path Rule to attempt to stop them running and/or being created on the users desktops.

Answers

We use folder redirection with FSRM file screens. This includes the Desktop and it works quite well. What sort of problems are you getting with the roaming profiles? The major difference I guess is with folder redirection, the file will be subject to
the FSRM screen as soon as you try to create it whereas with roaming profiles the file is create locally and then uploaded to your profile share later on?

2. Agree with Mark. Applocker is able to do the trick. Deny the path of CMD.exe

Regards, Brian

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

We use folder redirection with FSRM file screens. This includes the Desktop and it works quite well. What sort of problems are you getting with the roaming profiles? The major difference I guess is with folder redirection, the file will be subject to
the FSRM screen as soon as you try to create it whereas with roaming profiles the file is create locally and then uploaded to your profile share later on?

Thanks for your reply, thats perfect, ill look forward to your reply, any ideas on how to block the creation and running of batch files on the desktop of a roaming profile would be greatly appreciated.

We already block the use of CMD via GPO however that doesnt block any batch file that doesnt start cmd.

Thanks for your reply, the problem we are getting is that once the screen is applied it just doesnt do anything.

Ive tried it on the top level of the roaming profile as well as just the desktop folder sub folder and ive also tried the passive approach and it doesnt even log anything in the event log to say its been created or tried to be used.

Ive applied the same screen on the home drive which uses folder redirection and it works perfectly.

2. Agree with Mark. Applocker is able to do the trick. Deny the path of CMD.exe

Regards, Brian

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.